Transcription

1 Government response to the AIV/CAVV report on cyber warfare On 17 January 2012 a joint committee of members of the Advisory Council on International Affairs (AIV) and the Advisory Committee on Issues of Public International Law (CAVV) presented an advisory report on cyber warfare. The government is grateful to the AIV/CAVV for its in-depth study of this issue. It is a valuable contribution in the debate on cyber security and will aid the government in clarifying and consolidating policy in this field. The report supplements the National Cyber Security Strategy which focuses on protecting national security and tackling cybercrime (Parliamentary papers 26643, no. 174). It also supplements the Cyber Security Legal Framework sent to the House of Representatives on 23 December (Parliamentary papers 26643, no. 220). 1. Summary The main points of the government s response are as follows. - The cyber threat we face demands a comprehensive strategy. The advisory report is supplementary to the national approach. In light of this, the existing national crisis management structure will have to be reviewed. - Cyberspace is an operational domain for the armed forces. The Ministry of Defence is investing in measures to greatly strengthen existing capabilities and develop new (including offensive) capabilities. - The right to use force in self-defence may apply in relation to cyber attacks. - The government sees no need for a new global cyber treaty, although it will promote a practical framework for the application of international law in cyberspace. - Though NATO cyber policy is defensive, discussion of the use of offensive capabilities will become necessary at some point. Article 5 of the NATO Treaty also applies to cyber attacks. - A comprehensive EU approach is required. 2. The cyber threat The government sees the growing threat in cyberspace to national interests and the increase in technologically advanced cyber attacks as cause for concern. Espionage, sabotage, crime and terrorism in cyberspace constitute a direct threat to national security. This was one of the conclusions of the first National Cyber Security Assessment (CSBN) completed in December 2011 (Parliamentary papers , no. 220). Without diminishing the seriousness of the threat, the government endorses the AIV/CAVV s conclusion that further study is needed. The CSBN, 1

2 coordinated by the National Cyber Security Centre (NCSC), is a valuable instrument for this purpose. It will be further refined in the coming years, with specific emphasis on improving the quality and quantity of the data it contains. A secure and properly functioning digital network is essential to the Netherlands, with its open and internationally oriented economy and strong service sector. The comprehensive approach set out in the National Cyber Security Strategy will continue to be the general principle underlying government policy. This was the basis for the establishment of the NCSC, which is a public-private partnership. A joint, public-private and civil-military approach is required because neither the nature, extent and level of complexity of an attack will always be clear, nor the ultimate aim (criminal, ideological, military or political) of the attacker. This makes it difficult to determine the legal basis of the response and the resources required. In organising a joint approach it is important for roles, tasks and responsibilities to be clearly defined. On the initiative of the National Coordinator for Counterterrorism and Security (NCTV), the existing crisis management structure will be reviewed to see whether it is capable of dealing swiftly and effectively with large-scale digital disruption. As the AIV/CAVV rightly points out, it is also important to invest in coherent cyber diplomacy. 3. The armed forces operational domain The large-scale use of ICT has enabled the armed forces to perform their tasks more effectively and efficiently, but it has also increased its vulnerability. The digital domain is therefore of critical importance to the armed forces. Without a functioning ICT infrastructure the armed forces simply cannot carry out their duties. Virtually all weapons and sensor systems have ICT components, while both command and control and logistical support are dependent on digital systems. Disruption of the armed forces ICT infrastructure will thus jeopardise its effectiveness and the ability to continue operations. The priority is therefore to safeguard the reliability of military networks, weapons systems, intelligence and command and control systems, and to prevent the theft of information. At the same time, cyberspace provides an operational domain for the armed forces which, as the AIV/CAVV rightly notes, is expected to play an important role in every future conflict. As the networks of potential opponents are vulnerable like our own, cyberspace can also be exploited to enhance our intelligence position and to carry out military operations. The rise of cyberspace as an operational domain strengthens the current trend whereby traditional warfare is giving way to a more hybrid and multifaceted model of conflict, in which the use of ICT plays an ever-growing role. This picture is further complicated by the fact that it is difficult to establish where cyber attacks originate and who is behind them. In addition, the AIV/CAVV rightly concludes that a cyber war, fought solely in cyberspace, is currently an unlikely prospect. What is probable, however, is that operational cyber capabilities will be deployed frequently in the near future, either independently or 2

3 in support of regular military actions. To this end, offensive operational cyber capabilities will have to become part of the total military capability of the Dutch armed forces. In this regard, the armed forces must have sufficient capability to be able to respond adequately and effectively in all circumstances and against every opponent. Intelligence capability An excellent intelligence capability is a basic necessity for the defence organisation in order to function and operate in cyberspace. With regard to the issue of attribution, the AIV/CAVV correctly concludes that the intelligence and security services have an important role to play. Intelligence and counter-intelligence activities conducted by the Defence Intelligence and Security Service (MIVD) do not constitute offensive activities. These activities concern the gathering of information from closed sources within the constraints of the Intelligence and Security Services Act 2002 (WIV 2002). The AIV/CAVV is of the opinion that in the light of technological advances a review should be conducted of the WIV 2002 to see whether the current distinction between cable-access and satellite interception should be retained. This view is supported by the conclusions of the Intelligence and Security Services Review Committee (CTIVD) in its recent supervisory report (no. 28) on the use of signals intelligence (SIGINT). The government is of the opinion that this distinction cannot be maintained. It is therefore preparing an amendment to the WIV 2002 which will have to make a careful assessment of privacy issues and take account of the effects on providers of electronic communications networks. The House of Representatives will be informed on progress regarding the amendment in the course of Strengthening the cyber capabilities of the armed forces Following the parliamentary debate on matériel on 7 November 2011, in answer to a question from MP Marcial Hernandez, the Minister of Defence promised to give an overview of the cyber activities of the armed forces in this response. This promise is fulfilled here. The degree to which the activities described can in fact be performed depends on the financial resources available. For policy development purposes, a defence strategy for cyber operations is being drawn up in close consultation with national and international partners. The strategy will be finalised and presented to the House before the summer. A cyber programme manager has been appointed and Cyber Task Force set up under the authority of the Chief of Defence (CHOD). The programme manager is responsible for coordinating all cyberrelated activities within the defence organisation. In the short term, priority is given to strengthening defensive and intelligence capabilities. In the medium term, the focus is on establishing a Defence Cyber Expertise Centre (DCEC) by the end of 2013 and a Defence Cyber Command Centre (DCC) 3

4 by the end of The DCC will coordinate cyber operations within the defence organisation and will be responsible for the connection between the various cyber capabilities within the defence organisation. The Royal Netherlands Army (CLAS) will play a major executive role in the operational arena. The AIV/CAVV also notes that recruitment and retaining sufficient numbers of properly qualified staff will present a major challenge. In view of the need for qualified specialists in other sectors, here too the Ministry of Defence will have to work closely with other public and private parties so as to make the most effective joint use of scarce human resources. Consultations are already taking place between ministries and with companies and universities. The possibilities for creating a pool of cyber reservists are also being explored. Defensive measures focus on enhancing protection of networks and weapons and control systems. The Ministry s Computer Emergency Response Team (DefCERT) holds joint responsibility for the security of these networks and systems and must be fully operational by mid-2013 to protect the most sensitive defence networks around the clock. Capacity will be expanded further in the period leading up to 2016 to include other networks and weapons and control systems. DefCERT is due to conclude a voluntary agreement with the NCSC establishing a framework for intensive cooperation (information exchange and support) in the event of a disaster. At the same time, the Cyber Task Force will be developing an offensive capability and drafting a cyber doctrine for the armed forces. The AIV/CAVV also concludes that for offensive operations in the digital domain often the same technology is used as for intelligence purposes. Achieving an offensive capability therefore requires the efficient use of the scarce cyber capacity (including intelligence capacity) within the defence organisation. In developing this offensive capability, the AIV/CAVV s considerations on the distinction between the duties of the CHOD and the director of the MIVD will be taken into account. In the period from 2012 to 2015 the MIVD will increase its cyber intelligence capacity. The first step was taken with the addition of nine FTEs as of 1 January What is more, the MIVD and the General Intelligence and Security Service (AIVD) are stepping up cooperation in the field of cyber and signals intelligence, which should culminate in the establishment of a joint unit for gathering SIGINT and cyber intelligence. Within the defence organisation, developing and retaining knowledge regarding the cyber threat is the primary responsibility of the DCEC. The first priority is to increase awareness of the threat among personnel. An interactive environment consisting of e-learning modules, a simulation and a knowledge base will soon be available for training purposes. 4

5 Investment will also be made in research. In 2012 a senior lecturer in Cyber Studies will be appointed and a research group set up at the Netherlands Defence Academy (NLDA), while on 1 January 2014 a chair in cyber defence studies will be established. A wide-ranging cyber research programme was launched at the Netherlands Organisation for Applied Scientific Research (TNO) in January The defence research programme is part of a national cyber security research agenda that aims to make the most effective use of the available research budgets. 4. The international legal framework Use of force and the right of self-defence (jus ad bellum) The findings of the AIV/CAVV with regard to the use of force and the right of self-defence are largely in line with the government s position. Particularly relevant is its conclusion that cyber attacks are subject to the same rules as the use of force in the physical domain. In the advisory report the existing rules of international law on the use of force are strictly applied to cyber attacks, fully echoing the government s views. The AIV/CAVV concludes that both state and non-state actors can carry out an armed attack within the meaning of the UN Charter against which the use of force for the purposes of self-defence is permissible. The government endorses this conclusion and emphasises that it constitutes a significant legal development. The government also endorses the AIV/CAVV s conclusion that attribution presents a substantial challenge where cyber attacks are concerned. It concurs with the AIV/CAVV s view that force may be used in self-defence only if the origin of the attack and the identity of those responsible are sufficiently certain. It also concurs with the view that the use of force in response to an armed cyber attack must comply with the international law requirements of necessity and proportionality. International humanitarian law (jus in bello) The government shares the AIV/CAVV s conclusion that applying the rules of international humanitarian law (jus in bello) to hostilities in cyberspace is technically feasible and legally necessary. However, it also agrees with the AIV/CAVV s view that armed attacks in cyberspace only fall under international humanitarian law if they are carried out in the context of an armed conflict by the parties to that conflict. This constitutes an important distinction with regard to other cyber attacks. The advisory report examines the issue of armed conflict initiated by a cyber attack and gives some useful examples of the practical application of the basic principles of international humanitarian law to cyber warfare. Neutrality 5

6 The government regards the AIV/CAVV s elaboration of the concept of neutrality in relation to the deployment of cyber weapons as a useful starting point for further thinking on this subject. In an armed conflict involving third parties, the Netherlands can protect its neutrality by impeding the use by such parties of infrastructure and systems (e.g. botnets) on Dutch territory. Constant vigilance, as well as sound intelligence and a permanent scanning capability, are required here. Cyber treaty Like the AIV/CAVV the government sees at present no need for a new, global cyber treaty. It believes that existing rules of European and international law suffice with regard to cyber attacks. It does however support the recommendation in the report to give more political weight and practical effect to the application of international law in the digital domain through the introduction of a code of conduct. 5. International cooperation The interconnected and interdependent nature of ICT systems worldwide makes international civilmilitary and public-private partnerships indispensable. Close, bilateral consultations to this end are being held with the United States, the United Kingdom, Germany, Australia and the other Benelux countries. The potential for closer cooperation with Canada, France and the Scandinavian countries is being explored. As the AIV/CAVV observed, the Netherlands plays an active role in discussions on standards of conduct in cyberspace, mainly in order to preserve a free and open internet and offer a counterweight to countries wishing to restrict the free use of internet and media in the name of security and combating cyber crime. At the same time, the government acknowledges the importance of avoiding potential conflicts between countries resulting from cyber incidents. The Netherlands will pursue these aims in the appropriate forums. It also believes it is essential for businesses to shoulder their responsibilities when it comes to the export of technologies that could be used by governments for repressive purposes. In the interests of protecting human rights, the Netherlands considers it important for businesses not only to engage in self-regulation but also to have a framework in which to take decisions on the export of their products. It is therefore pressing for an expansion of the EU Dual-Use Regulation. This would make it possible to impose an ad-hoc licensing obligation for individual cases if there are indications that items will be used, partly or solely, for the commission of human rights violations. 6

7 NATO NATO s new Strategic Concept was followed up by a cyber defence policy, adopted in June As the AIV/CAVV notes, where cyber threats are concerned NATO is focusing primarily on strengthening its defensive capability. Partly owing to pressure from the Netherlands, the policy now addresses the need for more intensive information exchange, the development of a joint threat assessment and the importance of EU-NATO cooperation. The government also believes that in the longer term, NATO will have to develop a doctrine on the deployment of an offensive cyber capability. The decision on any collective response to a cyber attack would be taken according to the existing procedures. In the digital domain, as elsewhere, it is not always easy to establish when article 5 would come into operation. That is always a question that must be tackled at political level. European Union The government shares the AIV/CAVV s view that the EU would benefit from a comprehensive, coordinated approach to cyber security. Last year the European Commission launched its internal security strategy, which identifies raising levels of security for citizens and businesses in cyberspace as one of five priorities. The House of Representatives was informed of this on 19 January 2011 (Parliamentary papers no. 32). At the beginning of this year, European Commissioner Neelie Kroes announced plans for a European internet security strategy. The Netherlands supports these developments and will put its expertise, for example in the areas of threat assessment and publicprivate partnerships, at the Commission s disposal. In addition, the Netherlands is urging the Commission to give external, geopolitical considerations a clearly defined place in the EU approach to cyber security. 7

Information & Security: An International Journal Valentyn Petrov, vol.31, 2014, 73-77 http://dx.doi.org/10.11610/isij.3104 ESTABLISHING A NATIONAL CYBERSECURITY SYSTEM IN THE CONTEXT OF NATIONAL SECURITY

The National Cyber Security Strategy (NCSS) Success through cooperation 1. Introduction The Netherlands stands for safe and reliable ICT 1 and the protection of the openness and freedom of the Internet.

Second Cyber Security Summit, November 11, 2013 in Bonn Final communique On November 11, the Cyber Security Summit was held for the second time in Bonn at the invitation of the Munich Security Conference

Public Private Partnerships and National Input to International Cyber Security 10 September 2009 Tallinn, Estonia Maeve Dion Center for Infrastructure Protection George Mason University School of Law Arlington,

DCAF a centre for security, development and the rule of law On the European experience in critical infrastructure protection Valeri R. RATCHEV ratchevv@yahoo.com @ratchevv DCAF/CSDM 1 This presentation

Germany: Report on Developments in the Field of Information and Telecommunications in the Context of International Security (RES 69/28), General appreciation of the issues of information security Information

Policy Document Cybersecurity Strategy of the Republic of Cyprus Network and Information Security and Protection of Critical Information Infrastructures Version 1.0 23 April 2012 TABLE OF CONTENTS EXECUTIVE

What limits does the law of war impose on cyber attacks? Interview 28 JUNE 2013. Questions and answers - Does cyber warfare have limits and rules? Are civilian computers, networks and cyber infrastructure

Report Cyber Space in Estonia: Greater Security, Greater Challenges By Piret Pernik with Emmet Tuohy August 2013 ISSN 2228-0529 {Author(s)} Introduction For the last five years, Estonia has been implementing

Speech by Mr Rudolf Peter ROY, Head of division for Security Policy and Sanctions of the European External Action Service, at the L COSAC Meeting 29 October 2013, Vilnius Honourable members of the National

RUSSIA CHINA NEXUS IN CYBER SPACE E. Dilipraj Associate Fellow, CAPS On May 08, 2015 Russia and China inked an important agreement in the field of cyber security. This bilateral agreement is the latest

Review Report arising from the crash of flight MH17 The role of the General Intelligence and Security Service of the Netherlands (AIVD) and the Dutch Military Intelligence and Security Service (MIVD) in

Erich Reiter and Johann Frank The European Security Strategy Austrian Perspective The following essay gives the Austrian view on the ESS from a security political perspective and analyses the needs and

KPMG Legal Cybersecurity and the Romanian business environment in the regional and European context Developing a cybersecurity culture for the users of digital and communications systems has become a mandatory

EU Cybersecurity: Ensuring Trust in the European Digital Economy Synthesis of the FIC Breakfast-Debate 15 October 2013, Brussels With the participation of Tunne Kelam Member of the European Parliament'

1. Introduction E-SECURITY REVIEW 2008 DISCUSSION PAPER FOR PUBLIC CONSULTATION Australia s national security and economic and social well-being rely upon the use and availability of a range of Information

Section 2 Trends Concerning Cyberspace 1 Cyberspace and Security Owing to the information technology (IT) revolution in recent years, information and communication networks such as the Internet are becoming

Energy Security: Role of Regional Cooperation Traian Chebeleu Today s Conference is dedicated to a topic that has deeply preoccupied the governments and the business communities in the Emerging Europe,

Centre for Security Cooperation Military Academy General Mihailo Apostolski - Skopje Building a Cyber Resilient Society in SEE (IRC-O1-P-16) 27 April 2016 Rakitje, Croatia The workshop Building a Cyber

1 Modern security environment contains a broad and evolving set of challenges to the security of NATO s territory and populations. In order to assure their security, the Alliance must and will continue

Panel 3: Applicability of International Law to Cyberspace & Characterization of Cyber Incidents Catherine Lotrionte and Eneken Tikk, co-chairs Cyber security and the acceptable behavior of state and non-state

Will Canada s Cybersecurity Legislation Impact Your Business? Be aware of your obligations In 2015, the Government of Canada introduced a number of legislative amendments and programs in an effort to keep

GOVERNMENT OF THE REPUBLIC OF LITHUANIA RESOLUTION NO 796 of 29 June 2011 ON THE APPROVAL OF THE PROGRAMME FOR THE DEVELOPMENT OF ELECTRONIC INFORMATION SECURITY (CYBER-SECURITY) FOR 20112019 Vilnius For

CyberCrime@EAP EU/COE Eastern Partnership Council of Europe Facility: Cooperation against Cybercrime Strategic Priorities for the Cooperation against Cybercrime in the Eastern Partnership Region Adopted

Management and Economics 307 FINANCING AND PLACE OF THE BULGARIAN ARMY IN THE OPERATIONS OF INTERNATIONAL CRISIS MANAGEMENT Elitsa PETROVA elitsasd@abv.bg Nikolay NICHEV National Military University, Veliko

Today s Global Cyber Security Status and Trustworthy Systems That Leverage Distrust Amongst Sovereigns Benjamin GITTINS Ronald KELSON What is cyberspace and why is it so important? US Government Cyberspace

Appendix 2 Deterrence as a security concept against cyber threats Sico van der Meer Current situation Cyber threats, also referred to as digital threats, are among the greatest threats currently facing

F-43 FOREIGN AFFAIRS AND TRADE Australia - Cyber: Reports of Chinese cyber attacks Possible Ouestion Why has the Government not confronted China about cyber attacks including on DFAT, such as those aired

New Security Studies Rachel Suissa (Ph.D) University of Haifa, Israel In today s globalised setting, the challenge of maintaining security is no longer limited to the traditional foreign-policy and military

Middle Class Economics: Cybersecurity Updated August 7, 2015 The President's 2016 Budget is designed to bring middle class economics into the 21st Century. This Budget shows what we can do if we invest

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 The following consists of the joint explanatory statement to accompany the Cybersecurity Act of 2015. This joint explanatory statement

Cyber security guide for boardroom members 2 Cyber security guide for boardroom members Cyber security at strategic level Our society is rapidly digitising, and we are all reaping the benefits. Our country

Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security

English is not an official language of the Swiss Confederation. This translation is provided for information purposes only and has no legal force. Federal Act on Private Security Services provided Abroad

COMMITTEE OF EXPERTS ON TERRORISM (CODEXTER) CYBERTERRORISM THE USE OF THE INTERNET FOR Kapitel 1 TERRORIST PURPOSES GEORGIA January 2013 www.coe.int/terrorism A. National policy 1. Is there a national

(U) Appendix E: Case for Developing an International Cybersecurity Policy Framework (U//FOUO) The United States lacks a comprehensive strategic international policy framework and coordinated engagement

www.gipfelsoli.org http://euro-police.noblogs.org Proactive Repression IMF: More public disorder "Economy-related riots and unrest in various global markets if the financial crisis is not addressed and

The Guidelines for U.S.-Japan Defense Cooperation April 27, 2015 I. Defense Cooperation and the Aim of the Guidelines In order to ensure Japan s peace and security under any circumstances, from peacetime

ORIGINAL: ENGLISH 11th May, 1967 DOCUMENT DEFENCE PLANNING COMMITTEE Decisions of Defence Planning Committee in Ministerial Session Note by the Chairman I attach for your information a list of the decisions

CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to

Cyber Europe 2014 Questions and Answers 1 What is Cyber Europe 2014? Cyber Europe 2014 (CE 2014) is the largest and most comprehensive EU cyber-security exercise to date. It is a multi-event cyber exercise

United Nations S/RES/1674 (2006) Security Council Distr.: General 28 April 2006 Resolution 1674 (2006) Adopted by the Security Council at its 5430th meeting, on 28 April 2006 The Security Council, Reaffirming

HMG Security Policy Framework Security Policy Framework 3 Foreword Sir Jeremy Heywood, Cabinet Secretary Chair of the Official Committee on Security (SO) As Cabinet Secretary, I have a good overview of

Preparing for cyber warfare? SUMMARY In recent years, cyber attacks on a serious scale have become a matter of concern to states, due to the threat they can pose to national security, but also a potential

Tough New EU-Wide Cybersecurity Rules in Prospect: The Network and Information Security Directive OnPoint: A Legal Update from Dechert s International Trade and EU Regulation, and Privacy and Cybersecurity

29.3.2014 Official Journal of the European Union L 96/149 DIRECTIVE 2014/32/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 26 February 2014 on the harmonisation of the laws of the Member States relating